I’ve now had some time to read the Combating Online Infringement and Counterfeits Act (you can too). Reactions to follow, but first a quick sketch of the bill:
The bill gives the Attorney General specific powers to go after websites that are “dedicated to infringing activities.” (This is both the copyright and trademark context, but I’m going to focus on the former.) The statute defines “dedicated to infringing activities” as websites (1) “primarily designed” for trademark and copyright infringement, (2) lacking “demonstrable, commercially significant purpose or use” other than infringement, or (3) marketed by its operator to offer infringement. When taken together, these activities must be “central” to the activity of the website to meet this definition.
I used the word “infringement” above. It’s important to note that this is not speaking of traditional, primary infringement, or even established doctrines of vicarious, contributory, and inducement liability. It extends further than that, covering those “enabling” or “facilitating” infringement. (I would argue this to be further than the “knowing inducement” standard of contributory liability.) It also covers those offering or providing access to copyright-protected materials, including providing links to other Internet resources used to obtain copies. This too is an expansion of liability, though previously recognized in some lower-court opinions.
Under this bill the Attorney General has the power to proceed in rem against a domain name used by a website “dedicated to infringing activity.” The in rem nature of this is important: instead of having the lawsuit proceed against the person responsible for the infringing activity, the lawsuit is filed over the website itself. Thus, a judgment over the property binds the world with respect to the property, instead of just binding the defendant in the particular case.
The AG must send notice to the “registrant of the domain” (if available) and published notice of the action. The lawsuit would either be filed in the District of Columbia (if the registry is outside the United States) or the district housing the registrant or registry of the domain. All court document are to be served on the “domain name registrar,” or, failing that, on the “registry.” The remedy provided is injunctive and not monetary – a temporary restraining order, a preliminary injunction, and/or a permanent injunction. All the requirements for having a court issue this injunction are tied to Rule 65 of the Federal Rules of Civil Procedure presumably require the standard demonstrations of proof for those remedies. Should a court be persuaded that injunction is appropriate, the AG can then serve the court’s order on the registrant or registry, who is then ordered to suspend operation of the website and lock the domain name. If the registry is foreign, the AG can (with a court order) tell a “service provider,” a financial transaction provider, or an advertising agent on the website to cease serving that website, effectively creating a firewall for the average American user.
The bill does provide for modification of a court order. The owner or operator of the website may petition the court to modify, suspend, or vacate the order based on evidence that it is no longer “dedicated to infringing activities” or that the order should be vacated in the interest of justice. The AG can petition for modification to expand it to cover a migratory domain name and to include additional domain names “used in substantially the same manner” as the initial site. Should the domain name registration expire, the court order automatically ceases.
As mentioned above, the AG will maintain a public listing of domains subject to this order, as well as those that the DoJ believes to be qualifying, but for which AG has not yet filed an action. The AG also must inform our Intellectual Property Enforcement Coordinator (colloquially known as the “Copyright Czar”), who will also post the affected domain names on a public website. The AG must also publish a procedure for receiving information from public about sites “dedicated to infringing activities,” and give guidance to IP-holders as to how to provide the DoJ with information to begin an investigation.
So that’s the bill, and here are my reservations about it:
My first reaction is one shared by EFF several other groups – this is the very first time I can think of where the United States is prepared to assert its sovereign domain over the entire Internet. By proceeding in rem and going after domain name registries directly, we are leveraging the coincidental fact that most of the major top-level root domain servers are located inside of the United States, and most of the domain registration services (the GoDaddys and Dotsters of the world) are located here too. The reason for doing this is obvious: it’s expedient. The defendant may be hard to identify, located abroad, or deliberately hard to reach. Instead of going after her they can go after the severs she uses, which usually have fixed business addresses and legal departments. (I’m not quite sure if this is meant to cover to the DNS root servers or the domain name registration services themselves – more on that below.) In the rare cases where the United States does not house the addressing servers, the bill’s solution is to simply throw up a firewall, which is a pretty extreme measure.
This would not be a problem if I believed that this would only be used to go after websites solely dedicated to posting up torrents for movies, but I doubt this is the case. The terms used here seem to expand further than that. They encompass The Pirate Bay and MegaUpload for sure (and make no mistake, they are the targets of this legislation), but the bill arguably covers many more sites. This has great potential to seriously upset the balance of liability between websites and content controllers. In the Sony Betamax case we gave technology creators a wide berth, shielding from liability when a technology was capable of “substantial non-infringing uses.” Justice Breyer’s concurrence in Grokster states that the Court in Sony was looking at about 9% non-infringing use, and found that small percent to be “substantial” enough. Is 9% non-infringing use “commercially significant” enough to avoid in rem takedown here? Tumblr is a service that is largely dedicated to sharing media, often without the copyright owner’s authorization. Should they fail to show a commercially substantial use that isn’t dedicated to hosting infringing media files, could they be subject to takedown? And what about those of us that use Bit Torrent to share legally? Or use drop.io or MegaUpload simply because our email servers don’t let us send 100 MB attachments? Or use Tumblr to share media that we ourselves created? If we don’t make up a commercially significant share of the website’s population do we lose our service?
I think this liability shift is especially powerful with respect to websites driven by third-party content. We generally immunize web service providers from liability based on conduct of visitors to the site, whether it be copyright under the DMCA or libelous speech under Section 230. When proceeding in rem there is no meaningful way to distinguish between content posted by third parties and content posted by the website provider. As Public Knowledge points out, a small-scale media sharing site like a nascent YouTube could easily be taken down. Why this is so dangerous is an obvious point raised by many other critics – posting material online is an exercise of free expression, and services which aggregate many users are particularly strong forums for such expression, due to their bandwagon nature and ease of access. We should not so wantonly jeopardize these fora.
This is not to say that all is lost in this bill. I take comfort in the fact that this purely a remedy available to the Justice Department. Prosecutorial discretion will no-doubt mitigate these fears about sweeping up free expression and put any action into some form of greater utilitarian calculus. But Prof. Seltzer makes a good point about the private sector’s involvement in this bill – IP-owners are given an input into the Attorney General’s execution of the policy, but no similar mechanism is made for advocates for the websites. The weight of this legislation is clearly in favor of existing content owners. No wonder Hollywood is so excited about the prospects of this bill. At least the bill gives us transparency, which (ideally) should help us inform public debate over the merits of this bill’s eventual execution.
Two other, more minor, problems add to my general displeasure. First, I highly doubt this will be effective at stopping online piracy. If the allegedly infringing website is only using a service like Go Daddy to register their domain name, leaving content servers elsewhere, this is going to have little practical difference. Maybe you can’t type in “thepiratebay.org” and have it resolve to the Pirate Bay anymore. But if you are sophisticated enough to type in “188.8.131.52” into your address bar, you’ll still get the Pirate Bay. Cutting off the name server will not kill the website. The Internet is deliberately decentralized in that way. It would take active network filtering nation-wide to have the effect of blocking the Pirate Bay in the United States, which is a very drastic step indeed. But say we take that step – what’s to stop the pirates from creating a proxy server network to frustrate that means as well? Congress is trying to beat web-geeks at their own game. That is as sisyphean as it is stupid.
Second, in my opinion the bill suffers from some poor drafting. For example, who exactly does the AG give notice to under this bill? The bill carefully defines what it means to be “dedicated to infringing activity,” but other vital terms like “domain registry” and “registrant” get no clarity. When the bill speaks of the “registrant,” does it refer to the person who signs up with Go Daddy to get “mywebsite.com,” or is it Go Daddy, who has to go to VeriSign when it registers any “.com” domain name? Both parties are registering something from a registry, but with which one does the Attorney General interact? I can make an argument either way. The bill uses the term “operator” to define the person responsible for controlling the content of the site, so should we assume the website owner is the “operator,” the “registrant” is their domain name service, and the “registry” is VeriSign? On the other hand, “registrant” does appear in one other section in Title 18, referring there to the user of a web service. Should we impute a similar definition here? My guess, based on the way in which this bill distinguishes “registrants” from a “registry,” is that the “registrant” is the person who registers a domain name from a “registrar” like Go Daddy, but it’s far from certain. The bill has similar trouble trying to define who an online “service provider” is. The statute reflexively defines Internet “service provider” by its definition in 17 U.S.C. § 512(k)(1). The problem is, that section has two different definitions for service provider – either an ISP as we think of the term colloquially, or anyone who provides any service on the Internet. Would it have been so hard to pick one definition and include it in the bill?
I said a few days ago that I agree in spirit with the bill, and I still feel the same way today. I do not follow my colleagues who categorically reject using in rem tactics to try and stop infringing activity on the Internet. I do not think cyberspace should be categorically immune from government intervention. I recognize that there will be times when we cannot reach the person, and can only exercise power over the data the person left in a server in Virginia. But going after a website for its content should be a last resort, narrowly defined and restrained in execution. I accept the view that speech which infringes copyright is not subject to First Amendment protection, but any attempt to restrain expression should only follow a full and fair adjudication of the infringement question. It should be applicable only to those services which already fit our existing doctrines of secondary infringement liability. We should not attempt to sweep so broadly without mechanisms to better protect what might get swept up as collateral damage. It is not hard to imagine a website that has important expressive value, but nevertheless is removed from the Internet or blocked in the United States due to its inducement of copyright infringement. Hell, even the Pirate Bay runs a blog.
And there is one remedy here that I will never endorse: Internet filtering. We are seriously debating installing what can only be described as a nation-wide firewall. Consider the company we would keep doing so.